2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6

Analysis

max time kernel
124s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6.exe
Size

420KB
MD5

36b0b7117db939d90551f520d5d01b00
SHA1

2319f0bb15e03852259776675628ec1287c3d369
SHA256

2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6
SHA512

4b4a2dfa872fcaeaea6137188b071a2c168b39903ef6905413161c7909b5043b89f6d0c1cc43c2ba249c16c638468bb22a1e5a11eb5b1d67efa548fd431590e4
SSDEEP

6144:jrl4unt0McMHehgSqfWxfh0SM/r01uVs7f/aRvE9mSIE9Svz7geVz65JM7s1E8pG:xLwOeZqgvwa2x6HHVJ4

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run	2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Office Outlook = "C:\\'\\'\\csrss.exe"	2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\'\Desktop.ini	2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6.exe
File opened for modification	C:\'\Desktop.ini	2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Autorun.inf	2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6.exe
File opened for modification	C:\Autorun.inf	2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2548	2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6.exe

C:\Users\Admin\AppData\Local\Temp\2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6.exe
"C:\Users\Admin\AppData\Local\Temp\2053cabfcdc11ba74c6146c1fc85068abce2515da02783575bc3b6fc733b68c6.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
PID:2548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-134-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2548-135-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads